10. How to Conduct Internal Investigations of Alleged Wrongdoing

Introduction

This chapter provides a framework for how to conduct an internal investigation into any situation in which the code of conduct, internal policies of a company, or applicable laws or regulations might have been breached. Although we focus on practice in Mexico, we believe the ideas we develop can be applied more broadly in whichever jurisdiction an investigation is being carried out.

When properly conducted, internal investigations allow companies to adequately respond to any adverse situation that arises from possible wrongdoing, avoid or mitigate risks and potential administrative or criminal liability, and take appropriate measures to sanction and prevent the repetition of improper conduct.

Before starting an investigation, the investigator must review the legislation applicable to the conduct being investigated and the scope of permissible investigations. Different legal areas might require review. Criminal, data protection and labour law can be relevant to each step of the investigation.

Importance of internal investigations

Internal investigations help companies to identify, prevent, measure, and avoid or mitigate risks of potential liability and determine the validity and seriousness of the concerns that have triggered the need for an investigation.

However, different laws foresee a duty to investigate internally, and regulators consider the implementation and application of internal policies before imposing any sanctions for improper conduct.

In the past years, various countries, including Argentina, Brazil, Chile, Colombia, Costa Rica, Mexico and Peru, have modified their anti-corruption laws to facilitate corporations’ prosecution and establish requirements or mitigation credit for companies’ anti-corruption compliance programmes.

Pursuant to Article 422 of the Mexican National Code of Criminal Proceedings, when determining a corporation’s liability, law enforcement authorities must consider, among other aspects of corporate culture, the existence of proper controls within the company, such as adequate investigative methods. Since Mexican laws do not currently provide objective and clear standards for evaluating such controls and procedures, the Public Prosecutor’s decision is mostly discretionary. However, in the First Annual Report of Activities and Results of the Specialized Agency for Combating Corruption, the Anti-Corruption Prosecutor María de la Luz Mijangos Borja, committed to propose guidelines to evaluate corporate compliance programmes. It will be interesting to learn about the development of prosecutorial criteria and whether they will work in a similar way to those best practices laid out by DOJ and the SEC (e.g., FCPA Resource Guide and the June 2020 DOJ Evaluation of Corporate Compliance Programs).

In addition, Article 11 of the Federal Criminal Code allows for a reduction in criminal liability of up to a quarter of the corporation’s liability, as long as the corporation proves that, before the commission of the unlawful conduct, it had a compliance department in charge of preventing that conduct and that it sought to mitigate the potential harm before or after being accused.

Furthermore, the Mexican General Administrative Responsibilities Law provides that law enforcement authorities must consider a company’s ‘integrity policy’ before determining the applicable sanctions. Article 25 of this Law provides that an integrity policy must contain, among other things:

a code of conduct duly published and circulated among all members of the organization, with systems and mechanisms of real application, and adequate reporting systems both within the organization and to the competent authorities, as well as disciplinary systems and specific consequences regarding those who act against internal policies or Mexican legislation.

Moreover, under NCCP Article 222, any person with knowledge of conduct that could constitute a crime shall report it to the authorities. Failure to report conduct that could constitute a crime could be sanctioned through the crime of concealment. Thus, the rule calls for a probabilistic analysis, measuring the likelihood of an event taking place. Therefore, corporations should decide what probability should trigger the reporting obligation. There are no precedents clarifying this. We believe that the principle of presumption of innocence should be weighed into the required probabilistic analysis. Thus, if all persons are to be considered innocent until proven guilty beyond a reasonable doubt, the probabilistic analysis should imply a high scrutiny: not just a more probable than not (preponderance of the evidence), but one that alludes to the severity of the matter at hand (beyond a reasonable doubt). Therefore, the person or corporation considering or deciding whether to self-report should evaluate whether the reported conduct supports a certain probabilistic importance meriting that report.

In enforcing the US Foreign Corrupt Practices Act (FCPA), the US Department of Justice (US DOJ) and the US Securities and Exchange Commission (US SEC) also consider the investigative steps taken by a company before imposing sanctions. The ‘Resource Guide to the US Foreign Corrupt Practices Act’ (the FCPA Resource Guide) provides that:

once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the Company’s response, including any disciplinary or remediation measures taken. Companies will want to consider taking ‘lessons learned’ from any reported violations and the outcome of any resulting investigation to update their internal controls and compliance program and focus future training on such issues, as appropriate.^[2]

In some cases, external auditors are obliged to investigate and evaluate certain potentially illegal types of conduct when analysing a company’s financial statements.

Well-done internal investigations not only decrease the risk of potential corporate liability but also foster employees’ commitment to internal policies and applicable laws.

Beginning of the investigation

A well-structured compliance programme and internal auditing systems are essential for any company to prevent and manage any potential liability. Data from self-reported cases of foreign bribery show that companies are most likely to become aware of bribery by internal audits (31 per cent), M&A due diligence (28 per cent) and whistle-blower complaints (17 per cent).^[3] Another report by an international accounting firm found that 25 per cent of the fraud cases discovered in surveyed companies came to light through whistle-blower complaints, which was the main source for detection of fraudulent acts.^[4]

A well-structured and properly publicised hotline is essential for any compliance programme and for an eventual investigation, given that it allows employees to denounce any potentially improper conduct anonymously and without fear of retaliation. This is also helpful for investigators, given that it provides additional data about allegedly improper conduct, and whistle-blowers can function as collaborative parties.

However, companies must be aware of the applicable laws, particularly regarding data protection concerning the extent to which a hotline might be used. For instance, in some countries, labour issues might be excluded from an internal hotline scope.

Besides whistle-blower complaints, internal investigations might also be triggered by direct complaints, lawsuits, threatened litigation, government inquiries, suspicion of misconduct within the company, media reports, or accidents in the workplace, among others.

On some occasions, internal investigations might be a result of government investigations. In these cases, the nature and certain aspects of an investigation might change, or an investigation and cooperation with authorities might be necessary to obtain reduced sanctions and other benefits.

Once a report is received from any internal or external source, it must be redirected to the proper authorities within the company to (1) make a preliminary assessment of the report, (2) determine the nature of the reported conduct, and (3) evaluate whether external counsel is needed.

It is usually advisable for companies to assign the responsibility of receiving, following up, and preparing reports of potential improper conduct to internal legal and compliance authorities, given their knowledge and understanding of the applicable regulations and relevant areas within the company, particularly their sensitivity to topics such as legal privilege or preservation of evidence.

Preliminary assessment

Before starting any internal investigation, a company should make a preliminary assessment of the reported conduct to determine whether an investigation is appropriate. A correct preliminary evaluation of the proper type and extent of investigation will save a company both time and costs.

Frequently, reported conduct, even if assumed to be true, might not constitute a breach of the applicable laws or regulations and can be dismissed at the outset. Furthermore, certain issues might imply an easy and quick solution without needing a full investigation. In these situations, depending on the allegation’s nature, the receiving department might solve the problem directly or forward it to the proper area to take any necessary action.

However, when there is reasonable evidence of potential improper conduct, the best course of action will be for the company to trigger an internal investigation.

The situation becomes more complicated when there are indications of potentially improper conduct, but only limited information is available in the first instance. In these cases, investigators should seek other methods of obtaining preliminary information before initiating a full investigation. One effective way to do this is to seek further assistance from the whistle-blower or conduct preliminary interviews of potentially collaborative parties while striving to preserve the investigation’s confidentiality. Otherwise, evidence could be hidden or destroyed by the alleged perpetrators.

Nature of the reported conduct

Once a company determines that a full internal investigation is necessary, it will need to unravel the nature of the reported conduct, to establish a preliminary scope of the investigation, foresee the potential implications of the conduct and determine which department would be the most suitable to carry out the investigation.

Departments that may handle these types of investigations include compliance (in respect of anti-corruption and anti-money laundering), audit (e.g., fraud and improper use of assets), legal (e.g., public bids, intellectual property and anti-trust), human resources (e.g., labour, health and workplace security) and IT (e.g., cybersecurity), among others.

However, this could greatly vary from one company to another. Some aspects to take into consideration are the resources available, the experience and authority of the investigators within the company, and the perception of independence. In any event, the investigators must be perceived as independent and must avoid any conflict of interests.

For specific types of investigations, different departments should cooperate and interact (e.g., anti-corruption, human rights, fraud and sexual harassment). When suspected misconduct involves senior management, serious misconduct or there is a potential conflict of interests, the company should take all necessary steps to maintain independence and impartiality. In these cases, it might be advisable to create a special committee of the board or retain external counsel.

Is external counsel needed?

Depending on the nature of the reported conduct, it might be advisable to retain external counsel to perform the investigation or to serve as an aid. External counsel may offer substantive expertise, relevant experience, scale, and other benefits not available from internal resources. Additionally, other external experts may be needed to assist with an internal investigation, such as forensic accountants or e-discovery vendors.

When assessing whether to retain external counsel, another consideration is the potential applicability of the attorney–client privilege and work-product doctrines. The work of external counsel is usually protected by legal privilege, whereas that of in-house counsel may not be protected. In the United States, attorney–client privilege typically applies to the work of both external and in-house counsel. Relatedly, the work of accountants and other third parties may qualify as privileged when work is under the direction of external counsel to enable counsel to provide legal advice.^[5]

In Mexico, rather than a specific attorney–client privilege, there is a general obligation for all professionals, including attorneys, to maintain professional secrecy. However, attorney–client privilege may be claimed over communications exchanged between counsel and client. This criterion has been developed only recently in Mexican law: in an antitrust investigation, tribunals have held that the privilege covers communications between a client and its external counsel. According to the courts’ interpretation, ‘communication’ is understood to refer to all information exchanged and thus refers to both spoken or written communications (e.g., verbal conversations and emails) or work-product (such as written notes or memoranda). Some of these precedents also suggest that legal privilege in Mexico shall not be applicable to in-house counsel.^[6] Under NCCP Article 362, the testimony of any person who has knowledge of the facts under investigation because of her profession is inadmissible (e.g., ministers, lawyers, human rights visitors, doctors, psychologists).Hence, companies should give careful consideration to the question of retaining external counsel at the outset of an investigation. If a company decides not to, the work-product obtained from the investigation and third parties hired by the company might not be protected under privilege. As a consequence, regulators and enforcement authorities (and civil litigants) could demand full access to those potentially adverse and incriminating documents.

Investigation plan

Confirming the preliminary assessment regarding the scope and nature of an investigation and drafting an investigation plan will provide a clear road map. As a minimum, such a plan should consider the following aspects:

• nature of the investigation;
• scope of the investigation;
• specific potential improper conduct;
• relevant stakeholders and involved parties;
• time frame;
• evidence needed and available;
• potentially applicable legislation, regulations and internal policies;
• the need for experts to conduct or assist with the investigation (e.g., forensic accountants or economists); and
• confidentiality policies.

Self-reporting or revealing that a company is conducting an investigation is always fact-specific. A company might want to disclose its investigation plan to the authorities early in the process, with the aim of receiving cooperation credit and avoiding more severe sanctions at a later stage.

Depending on the nature and facts of the investigation, it might be advisable to conduct certain interviews and request cooperation from any whistle-blower and potentially collaborating parties before moving to the investigation’s next steps. At all times, it is critical to protect the confidentiality, integrity, and potential evidence related to the investigation.

Furthermore, investigators should consider whether it is convenient to notify the implicated parties or the whole company and to what extent, always considering the measures necessary to preserve evidence and avoid retaliation.

Investigators must always be mindful of the company’s best interests and that all documents created, facts uncovered and witness statements in relation to the investigation might be shared with or requested by authorities in the future.

Preservation of evidence

An essential step at the outset of an internal investigation is preserving potentially relevant evidence. Measures to preserve evidence include:

• gathering and securing electronic and physical information (such as hard copy files);
• sending preservation notices to employees, informing them that it is prohibited to delete or destroy any relevant evidence and information;
• communicating to employees about the existence of an investigation, requesting them to cooperate and maintain the investigations’ confidentiality and stop or deter certain conduct, which may also serve to avoid any gossip and speculation within the company;
• restricting access to certain information to preserve its integrity; and
• suspending employees who could compromise the integrity of the investigation.

Investigators must always be aware of the applicable data privacy laws when securing, transferring and sharing information, and of guaranteeing appropriate protection of personal data. This is particularly relevant in transnational investigations in which information might be transferred to different countries, or shared between counsel in different jurisdictions, often offering inconsistent regulations.

Before securing information from emails or cellphones owned by the company, it is advisable to have a prior policy or consent regarding the company’s authority to access information that belongs to the company or is related to employees’ work. The company must properly inform employees that the information created and shared within the company network and systems belongs to the company and shall be subject to scrutiny, without any expectation of privacy.

Depending on the jurisdiction, it may be advisable to have a prior signed consent from employees (e.g., as a condition of employment), given that some jurisdictions require express consent to use and have access to communications from third parties. In Mexico, a prior policy without express consent could be considered insufficient to obtain and process an employee’s data.^[7]

If a company does not have a proper policy or seeks to obtain communications from personal devices, to the extent permissible, it should obtain consent from the owner of the device. The interception of private communications is usually prohibited and considered a criminal offense in many jurisdictions (e.g., Mexico).

Ownership of the documents and the chain of custody will also be relevant if the documents have to be produced in litigation, administrative or criminal proceedings, or to regulators. If the documents belong to the company, in principle, the company will be able to directly produce them before any authority. However, if the documents belong to an individual, the company will usually need that person’s consent or to request judicial assistance to obtain them lawfully.

The chain of custody is relevant in criminal and some administrative and civil proceedings to assure that the documents have not been tampered with or contaminated. Each measure and step related to gathering, handling, storing, securing, transferring and managing evidence must be properly documented to guarantee that evidence is authentic and legal. A chain of custody is a sine qua non-requirement for the validity of evidence in many criminal and some civil proceedings.^[8]

Measures to avoid retaliation

Investigators must promptly take all necessary measures to avoid any retaliation against whistle-blowers, cooperating parties, stakeholders or even the implicated parties. This helps preserve the integrity of an investigation and anyone involved.

Examples of appropriate measures to avoid retaliation are:

• maintaining the confidentiality of the whistle-blower and cooperating parties;
• restricting access to certain information;
• the temporary reallocation of certain employees; and
• the suspension or removal of potentially implicated parties.

Not being able to take appropriate measures to avoid retaliation will be viewed negatively by regulators and authorities. Furthermore, these measures strengthen a culture of compliance within the company, guaranteeing that employees will not be punished in any way for denouncing, in good faith, any improper conduct or cooperating with an investigation. By failing to take these measures, a company might give a contradictory message to its employees.

Document review

A key step in any investigation is obtaining the proper evidence regarding the potentially improper conduct. Thorough email searches are standard for virtually any significant internal investigation and have proven to be revealing in improper conduct investigations. Additionally, cellphone searches are becoming increasingly relevant, given that informal channels of communications such as Whatsapp or Telegram are being used more often as working tools. Improper conduct is now documented in emails less often, and people are more wary about what they write in emails. Other relevant evidentiary sources include working documents held in computers or databases, such as Word or Excel documents, as well as physical documents and material.

Documents and information should be collected and reviewed in light of the scope of the investigation, the implicated parties and any other evidence that suggests that the documents might be relevant for the investigation.

Numerous e-discovery platforms enable counsel or other investigators to apply search criteria to reduce the amount of information that needs to be analysed. Artificial intelligence that uses predictive coding is also a powerful tool that can reduce time and costs.

The people in charge of reviewing documents must have sufficient knowledge of the nature and scope of the investigation, the relevant facts and the information that they should be seeking, so as to properly identify relevant documents. This is often one of the most labour-intensive parts of an investigation and is essential for proper fact-finding.

Once documents have been reviewed, it is useful to have a chronology of all relevant documents and information to track and analyse key events, conduct, stakeholders and documentation. Again, investigators must be mindful of the company’s best interests and that all documents created, facts uncovered and witness statements in relation to the investigation might be shared with or requested by authorities in the future.

As well as a document review, it is sometimes advisable to seek additional sources of information and, depending on the case, to engage an accounting firm to conduct forensic transaction testing. Often, the sources of concern lie in how a company keeps its books and records. Forensic and accounting experts will analyse whether a company’s books accurately, reasonably and timely reflect the transactions represented therein. They also might look into revenue recognition in books and reality and search for discrepancies with a company’s policies. Moreover, they will frequently analyse third-party vendor accounts and whether their services and bills are well supported and conform to market standards.

Interviews

Interviews are also essential to any corporate internal investigation, ideally once a thorough document review has been performed, and the key issues have been outlined in a working chronology. Interviews should be conducted with relevant stakeholders, witnesses and implicated individuals. In general, all those materially involved in the underlying facts should be interviewed.

For this, investigators must (1) determine which parties to interview according to the evidence previously obtained, (2) draft an interview protocol regarding the relevant evidence and facts, and (3) conduct interviews in accordance with the foregoing.

The interview protocol should serve as a guideline for the interviews, by making express reference to the relevant documents by topic or chronological order and the proposed questions for interviewees. Other relevant topics that might be useful are the factual background, knowledge of the regulation applicable to the conduct and proposals for how to remediate certain types of conduct.

Depending on the case, it might be advisable first to interview witnesses and then the implicated parties, starting with lower-level employees and working up to the most senior employees. Investigators must also pay close attention to who will perform and be present during the interviews. In all cases, investigators must make sure to be perceived as independent and to try to avoid creating an overly formal environment that could affect the outcome of the interviews.

Depending on the jurisdiction, investigators typically inform interviewees (1) that they only represent the company (or whoever they represent) and do not represent the interviewees or their interests and that they may wish to seek separate counsel, (2) of the purpose of the interview, (3) that the interview is privileged and confidential and shall not be shared or disclosed by the employee with third parties, and (4) that the privilege and confidentiality of the interview belong to the company, and that only the company controls such privilege and might decide to waive and disclose it to third parties, including authorities. This is known as the Upjohn warning, which originates from the case Upjohn Co v. United States.^[9]

Interviews should seek to establish the facts by presenting relevant documentation and allowing interviewees to accurately recollect the facts and express their opinion with the aim of obtaining information that is as accurate and reliable as possible. Interviewees might request before or during the interview to have their own counsel present or to have an opportunity to be advised by their own counsel. One issue that may arise is whether the company should pay for an employee’s personal counsel.

In general, interviewers should avoid recording or transcribing interviews verbatim.

Among other considerations, recordings and transcripts are also usually not protected by legal privilege and they add an air of unnecessary formality to an interview, which can be counterproductive in some cases and can affect the quality and content of the interviewee’s responses. Consistent with legal privilege, it is usually advisable to take notes on personal perspectives, opinions about the interview and to address legal theories.

Third parties are in no way obliged to agree to these interviews and careful consideration must be given before interviewing third parties or former employees over which the company has no authority. Anti-corruption contractual clauses can in some cases be useful for the purpose of compelling a third party to cooperate. In these cases, investigators must weigh the potential benefits and costs, and act in the best interests of the company.

After the interview, employees should be reminded of the confidentiality of the information and that the information must not be shared with other employees or any third party. Once the information has been analysed, investigators must determine whether additional fact-finding in the form of document review or interviews is necessary or if they should proceed with the final report and suggested remediation measures.

Final report and remediation measures

Once an investigation has been concluded, investigators should analyse all the information gathered in the investigation and report the findings and suggested remediation measures to the appropriate officers and directors within the company (and, potentially, outside the company). The final report should address the factual issues and conclusions and provide a legal analysis of the subject matter and the potential remediation measures that the company might adopt. However, this sequence of events needs to be flexible. Investigations frequently offer insights into other aspects of the business that require greater scrutiny. Thus, one line of analysis often sets the stage for a new or deeper investigation.

Depending on the case, careful consideration must be given to whether the report will be in written form or oral.

Companies should always take appropriate remediation measures to ensure that the risk of repetition of improper conduct is mitigated and properly sanction those who may have acted improperly.. This is essential to mitigate any risk for the company and, in fact, without this step, an investigation ultimately may become meaningless.

Some typical remediation measures include:

• disciplining the implicated parties (for which it is advisable to have already established a policy);
• implementation or enhancement of internal controls;
• appropriate training;
• measures to avoid repetition of the improper conduct;
• amendment of certain contractual provisions, such as inclusion of anti-corruption representations and warranties and audit clauses;
• termination of contracts or relationships with third parties;
• disclosure within the company of certain information about the investigation and remediation measures;
• oversight of certain areas or transactions;
• periodical testing and assessment of internal controls; and
• reporting to the proper authorities, if deemed appropriate and advisable under the particular circumstances.

When taking remedial action, parties should seek to be consistent in imposing and applying measures and should always seek to reduce the risk of repetition and implement measures to identify future risks. In particular, companies must heed the lessons learned and incorporate them into their policies and procedures to avoid or mitigate recurrence risk .

Local applicable labour laws must be analysed before taking any action against employees. For instance, Mexican legislation does not allow a salary reduction^[10] and grounds for dismissal follow strict scrutiny and will always be interpreted in favour of the employee.

Finally, the appropriate department within the company must decide whether the investigation and its findings should be notified or voluntarily disclosed to regulators or other authorities, to the extent not already self-reported or otherwise known. This is a decision that should not be taken lightly and requires consultation with external counsel with proper knowledge of the jurisdiction and applicable laws.

Companies may engage in a dialogue with the authorities and opt to cooperate in their investigation to try to seek a reduction of sanctions. Some of the criteria taken into account by authorities when considering whether to reduce sanctions are whether the cooperating party:

• is the first to cooperate;
• discloses the conduct within a reasonable time frame;
• provides new and meaningful evidence to the authorities;
• cooperates continuously;
• stops participating in the improper conduct; and
• remediates the conduct appropriately and in a timely manner.

Once an authority brings charges against a company, as a general rule, the company may enter into a dialogue to address the authority’s concerns.

Some of the factors that should be considered before deciding whether voluntary disclosure is appropriate are:

• potential legal consequences faced by a company after self-reporting and resulting from the settlement (regarding civil, commercial, criminal and administrative matters);
• willingness to cooperate with law enforcement authorities;
• potential penalty reductions and the extent to which a potential settlement agreement could mitigate risks and consequences for the company;
• potential legal and reputational consequences faced by the company’s directors, officers and employees; and
• the likelihood that the authorities may otherwise learn of the relevant facts or seek to conduct an investigation.

Conclusion

As has been discussed, internal investigations are an invaluable tool for companies to mitigate risks of potential liability regarding misconduct within the company and are essential for any well-structured compliance programme. In some cases, internal investigations are also necessary or helpful in obtaining a reduction in criminal, civil or administrative penalties.^[11] Having a working compliance programme within the company, properly investigating improper conduct and sometimes self-disclosing improper conduct, has proven to be helpful when dealing with authorities.

While all investigations and companies are different, a well-conducted, successful and effective investigation must be performed under a general framework and a basic set of rules. A well-structured investigation will help to prevent any undesirable surprises and to maintain proper control of relevant conduct and facts being investigated. In contrast, an improper investigation could have disastrous outcomes for a company, even increasing significantly its risk of liability.

From the outset of an investigation, the people in charge must clearly outline the nature and scope of the conduct under review, the potential implications and who should investigate. It is also essential to consider other issues that could have serious implications, which range from the need to retain external counsel, to preserve attorney–client privilege over the investigation, and to determine which specific measures to take to preserve evidence and avoid retaliation.

While this chapter is not an exhaustive analysis of every issue and situation to take into consideration when performing an internal investigation, it should serve as a useful guide for any internal investigation a company carries out to review potential improper conduct.

Lastly, the remediation measures a company adopts after finishing an investigation are essential to mitigate the risk of repetition, including the recurrence of potential liability. This step helps companies to remediate any improper conduct and to learn from its mistakes. An investigation is incomplete without taking this critical step.

For these reasons, and many others, a proper policy addressing improper conduct and ensuring well-conducted investigations is imperative for mitigating potential liability. It is also vital to take appropriate measures to sanction individuals who engage in improper conduct and to enhance relevant controls to prevent improper conduct in the future.

Footnotes